Report security vulnerabilities via one of these channels:

• Email: Send details to the repository maintainer
• GitHub Security Advisory: Use the "Report a vulnerability" button on the Security tab

Include a description of the issue, steps to reproduce, and potential impact.

• Acknowledgment: Within 48 hours of receipt
• Status update: Within 7 days
• Disclosure: 90-day coordinated disclosure timeline from acknowledgment

Vulnerabilities in:

• Skill scripts and SKILL.md definitions
• CI/CD workflows in this repository
• Packaging scripts (scripts/)

• Vulnerabilities in the Claude platform or API — report those to Anthropic
• Issues in third-party tools referenced by skills
• Social engineering attacks

Do not publicly disclose vulnerabilities before the 90-day window expires or before a fix is available, whichever comes first. Credit will be given to reporters who follow this policy.